registry  /  @agent-link/agent  /  0.1.269

@agent-link/agent@0.1.269

AgentLink local agent CLI

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `agentlink-client start` and accesses the resulting relay session; `service install` makes this persistent.
Impact
A party controlling an authorized or compromised relay session can execute shell commands and modify or exfiltrate accessible workspace data.
Mechanism
Relay-controlled local PTY, workspace handlers, tunnels, and AI CLI subprocesses.
Rationale
No concrete covert or install-time malicious chain was found, but the source implements an intentionally high-impact remote agent with unattended AI execution. This is a dangerous dual-use capability that warrants a warning rather than a block.
Evidence
package.jsonREADME.mddist/connection.jsdist/terminal.jsdist/copilot.jsdist/service.jsdist/cli.jsdist/emergency-upgrade.js~/.agentlink/config.json~/.agentlink/agent.json~/.agentlink/logs~/.config/systemd/user/agentlink.service~/Library/LaunchAgents/ai.agentlink.client.plist%APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup/AgentLink.bat
Network endpoints2
wss://msclaude.aimsclaude.ai/files/agent/latest.json

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/connection.js` accepts relay messages for terminal, file, Git, and tunnel operations.
  • `dist/terminal.js` opens a local PTY and forwards remote input to its shell.
  • `dist/copilot.js` invokes Copilot with `--allow-all` and `--no-ask-user`.
  • `dist/service.js` creates boot-persistent services only through `service install`.
  • `dist/cli.js` downloads and globally installs upgrades only through explicit `upgrade` commands.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • `README.md` documents the relay/remote-control behavior and explicit service and upgrade commands.
  • `dist/emergency-upgrade.js` restricts emergency artifacts to the package name, allowed origin/path, size, and integrity checks.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 665 KB of source, external domains: cdn.jsdelivr.net, login.microsoftonline.com, msclaude.ai, www.apple.com

Source & flagged code

6 flagged · loading source
dist/copilot.jsView file
10*/ L11: import { spawn, execFileSync } from 'child_process'; L12: import { createInterface } from 'readline';
High
Child Process

Package source references child process execution.

dist/copilot.jsView on unpkg · L10
190catch { L191: // where/which failed — try PowerShell on Windows L192: if (isWin) {
High
Shell

Package source references shell execution.

dist/copilot.jsView on unpkg · L190
dist/emergency-upgrade.jsView file
4import { join, posix } from 'path'; L5: import { gunzipSync } from 'zlib'; L6: export const EMERGENCY_MANIFEST_URL = 'https://msclaude.ai/files/agent/latest.json'; L7: const ALLOWED_ARTIFACT_ORIGIN = 'https://msclaude.ai'; ... L176: } L177: if (normalizedPath === 'package/package.json') { L178: if (packageIdentity) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/emergency-upgrade.jsView on unpkg · L4
dist/service.jsView file
1import { execSync } from 'child_process'; L2: import { existsSync, mkdirSync, writeFileSync, unlinkSync } from 'fs'; ... L48: } L49: return join(homedir(), '.config', 'systemd', 'user', `${SERVICE_NAME}.service`); L50: } ... L183: try { L184: execSync(`launchctl unload "${plistPath}" 2>/dev/null`); L185: } ... L215: function getStartupBatPath() { L216: const startupDir = join(process.env.APPDATA || join(homedir(), 'AppData', 'Roaming'), 'Microsoft', 'Windows', 'Start Menu', 'Programs', 'Startup'); L217: return join(startupDir, `${SERVICE_NAME}.bat`); ... L264: export function isServiceInstalled() {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/service.jsView on unpkg · L1
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @agent-link/agent@0.1.265 matchedIdentity = npm:QGFnZW50LWxpbmsvYWdlbnQ:0.1.265 similarity = 0.938 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
741else { L742: execSync(`npm install -g "@agent-link/agent@${targetVersion}"`, { stdio: 'inherit' }); L743: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L741

Findings

1 Critical3 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/copilot.js
HighShelldist/copilot.js
HighRuntime Package Installdist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/service.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/emergency-upgrade.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings